Today, we announced the Constant Guard(tm) security program. This program is a comprehensive approach to protecting customers from increasingly sophisticated online security threats. A feature of the Constant Guard security program, called “Service Notice” goes into trial today in the Denver area. The purpose of Service Notice is to let customers know whether their computer is infected with a bot (virus). Bots are the leading cause of spam, are responsible for identity theft, information theft, and distributed denial of service (DDOS) attacks.

We believe the Service Notice benefits both Comcast customers as well as the Internet community. The Service Notice helps inform customers that there is a high probability that something may be wrong with their computer and that they could be susceptible to any of the malicious activity listed above. Once customers receive the Service Notice, they will have an option to take steps to fix the problem or close the Service Notice without further action. By taking the steps to fix the problem, customers can clean their computers which in turn may help reduce the risk of information and/or identify theft. Fixing the problem also helps the Internet community because it means less spam and fewer DDOS related service outages.How will the Service Notice work?Customers may receive a Service Notice informing them that one or more computers in their house may be infected with a bot. The Service Notice appears as a message layered in front of the page content as shown here:

The customer will be presented with two click-through options: (1) visit the Anti-Virus Center or (2) close the Service Notice. The Anti-Virus Center instructs the customer to perform Operating System updates, download Anti-Virus updates and/or to download the McAfee anti-virus software (provided at no additional cost to Comcast customers). If the customer needs expert technical assistance, the customer will find a link to the McAfee Virus Removal Service. This service is provided by McAfee for an additional fee.

The customer can close the Service Notice without any further action. Comcast may notify the customer again in the future if their security is at risk.

How did Comcast determine that I may have a virus-bot on a computer in my home?We identify infected computers in several ways. First, we get data from reputable Internet research groups that specialize in bot identification. The data we get includes a list of Internet Protocol (IP) addresses that are infected and those that belong to bot command and control channels. Second, we look for malicious behavior exhibited by bots such as spam, distributed denial of service attacks and repeated connections requests to known command and control channels. We then aggregate this data to confirm whether one or more of your computers has been infected.

Is Deep Packet Inspection Involved?No. Deep Packet Inspection is not involved in any way.

Does this technique of detecting bots allow Comcast to see my online activities? No, this technique does not detect bots based on the online activities, protocols or applications a customer uses. Comcast provides its customers with full access to all the content, services, and applications that the Internet has to offer.

What will the “Service Notice” be used for?Service Notice may be used for messaging time sensitive critical information to you about your Comcast High-Speed Internet service such as computer security.

How does the “Service Notice” work?Following is a technical description of how the Service Notice works. The notification platform utilizes a standards based approach developed by the Internet Community known as Internet Content Adaption Protocol (RFC3507). When a bot is detected and a customer needs be notified, HTTP traffic (Port TCP 80 only) from the customer’s computer is routed via a Web proxy. The traffic is routed from the customer’s computer to the final destination, a "Web server", without modifying the request. When the traffic from the Web server arrives at the proxy the Service Notice is added to HTML content without modifying the original page and then the combined content is routed back to the customer’s computer. The Service Notice will appear as a message layered in front of the page when viewed in the Web browser. We have published an IETF draft describing how the system works, it is available at: http://www.ietf.org/id/draft-livingood-web-notification-00.txt

Does the proxy cache any information?The web proxy does not enable caching of the web content and Comcast neither look at nor store web traffic information.

Where to find technical updates related to the “Service Notice”?All technical updates regarding Service Notice will be available on Comcast’s Network Management page: http://networkmanagement.comcast.net

Re: Comcast Announces Constant Guard security program

The purpose of Service Notice is to let customers know whether their computer is infected with a bot (virus). Bots are the leading cause of spam, are responsible for identity theft, information theft, and distributed denial of service (DDOS) attacks.

What will the “Service Notice” be used for?Service Notice may be used for messaging time sensitive critical information to you about your Comcast High-Speed Internet servicesuch ascomputer security.

I get the part about bots.

But what kind of information does "critical information to you about your Comcast High-Speed Internet service"include?

Comcast employees must be authorized to post in the forum in an official capacity. Employees posting here have their names in red and are designated as employees. Names not in red are customers.

This is done to protect customers and for assurance that they are dealing with a Comcast employee.Non-Authorized Employees are allowed to post but cannot state they are employees nor can they allude to being employees.

Re: Comcast Announces Constant Guard security program

Barmar wrote:Read the technical description above, bj. When they've determined that you're infected, all your web traffic is routed through a proxy, and it adds the notification to the returned web page.

Thanks Barmar, I guess I'm just not astute enough to understand any of the technical descriptions above...

Give me a complex recipe and I can interpret, understand and complete to the desired objective..

I was just asking a simple question based on the visual supplied..

There would have been no need for such if the statement had read something along the lines of once a browser is opened this notification would pop up.. Or am I again making an incorrect assumption??

However, coming on the heels of the announcement here, along with some of the

things I read at recaptcha, I tend to think the password issue is somehow related

to Constant Guard.

Someone in-the-know at Comcast please confirm or deny my theory.

Whether it does or does not have anything to do with it, someone needs to get

the change password function to work correctly.

It does no good to recommend a password change if it doesn't work.

Message Edited by Queen-Evie on 10-09-2009 11:16 AM

Comcast employees must be authorized to post in the forum in an official capacity. Employees posting here have their names in red and are designated as employees. Names not in red are customers.

This is done to protect customers and for assurance that they are dealing with a Comcast employee.Non-Authorized Employees are allowed to post but cannot state they are employees nor can they allude to being employees.

Re: Comcast Announces Constant Guard security program

We all know that in the past, Comcast has "broken" one thing when fixing things or adding an "improvement".

Comcast employees must be authorized to post in the forum in an official capacity. Employees posting here have their names in red and are designated as employees. Names not in red are customers.

This is done to protect customers and for assurance that they are dealing with a Comcast employee.Non-Authorized Employees are allowed to post but cannot state they are employees nor can they allude to being employees.

"TOP OF THE NEWS --Comcast Testing Malware Alert Service (October 8, 2009).On Thursday, October 8, Comcast began testing a service that alerts itsbroadband subscribers with pop-ups if their computers appear to beinfected with malware. . Among the indicative behaviors that trigger alerts are spikes in overnight traffic, suggesting the machine has been compromised and is being used to send spam. Comcast also uses information supplied by research groups about IP addresses that appear to have been infected with malware. . The Comcast test program appears to be the first in which a major Internet service provider (ISP) is taking measures to alert customers to potential security issues..Comcast Constant Guard is being piloted in Denver. The alerts willdirect users to Comcast's antivirus center where they can receive helpcleaning their machines of malware..http://news.cnet.com/8301-27080_3-10370996-245.html?part=rss&subj=news&tag=2547-1009_3-0-20http://www.pcmag.com/article2/0,2817,2354001,00.asp.[Editor's Note (Schultz): Comcast has taken a big step forward. Thequestion now is whether users who are warned about having virusinfections will do anything given that over the years they have beenbombarded by pop-up ads, Windows Vista User Access Control warnings, andmore.]"

Re: Comcast Announces Constant Guard security program

[Editor's Note (Schultz): Comcast has taken a big step forward. Thequestion now is whether users who are warned about having virusinfections will do anything given that over the years they have beenbombarded by pop-up ads, Windows Vista User Access Control warnings, andmore.]"

That's what worries me, too. Most of the time, if you get a security warning from a program other than the security programs you've installed, it's a fake. And users have been warned not to click on the links in these programs; rather than cleaning your system, they usually take you to malware sites masquerading as security applications.

The image above shows a link "How do I know this notice is from Comcast"? What stops a bogus site from using a link like that? And how do you know it's safe to click on that link?

Then again, the people who are infected are probably not the ones who have learned to be suspicious of these things. That's presumably how they got infected in the first place.

Re: Comcast Announces Constant Guard security program

The idea of an unsolicited browser "Pop Up" that describes an event requiring time sensitive personal action and also contains an actionable Link for remedy can not be tolerated.

This modus operandi is a known infection vector. No knowledgeable browser user would respond other than by terminating the browser session using an operating system task killer function, such as TaskManager in XP.

I'd suggest that the Comcast Constant Guard pop-up UI must not include a clickable link, but instead provide text direction for using a Constant Guard function on the Comcast Home page that the user navigates to using vetted URL or shortcuts in the user's environment.

The Comcast Constant Guard pop-up message could also include a unique user-identifer that could be copied and pasted into the Comcast Home page Constant Guard function if unique identification is in fact necessary or useful.

REQ11: No Advertising Replacement or Insertion: The system must not be used to replace any advertising provided by a website, or insert advertising into websites where none was intended by the owner of a given website.

Re: Comcast Announces Constant Guard security program

The idea of an unsolicited browser "Pop Up" that describes an event requiring time sensitive personal action and also contains an actionable Link for remedy can not be tolerated.

This modus operandi is a known infection vector. No knowledgeable browser user would respond other than by terminating the browser session using an operating system task killer function, such as TaskManager in XP.

I'd suggest that the Comcast Constant Guard pop-up UI must not include a clickable link, but instead provide text direction for using a Constant Guard function on the Comcast Home page that the user navigates to using vetted URL or shortcuts in the user's environment.

The Comcast Constant Guard pop-up message could also include a unique user-identifer that could be copied and pasted into the Comcast Home page Constant Guard function if unique identification is in fact necessary or useful.

We've received similar feedback from a few other people and we're taking it into consideration during the trial.

REQ11: No Advertising Replacement or Insertion: The system must not be used to replace any advertising provided by a website, or insert advertising into websites where none was intended by the owner of a given website.

No I didn't miss that at all. Since a violation of that restriction would carry no penalty other than people shaking their fingers and calling you "naughty," I still feel it's just a matter of time. Recommendations for anti-malware products will probably come first. Besides, the way that requirement is worded premits unrestricted insertion of ads into any web page that already contains at least one ad.

Re: Comcast Announces Constant Guard security program

Besides, the way that requirement is worded premits unrestricted insertion of ads into any web page that already contains at least one ad.

Well, I wrote the requirement and that was not my intent (and I still don't see how that would be the case). If you were to re-write that requirement, what would it look like?

J

How about simply deleting the qualifier, "where none was intended by the owner of a given website." What could the intent of that qualifier possibly be except to allow for the insertion of ads in some cases?

Re: Comcast Announces Constant Guard security program

Barmar wrote:I think the intent of the wording was to allow for cases where they have an agreement with the web site that allows them to insert ads.

And thus would begin the fulfillment of my prediction that this mechanism will one day be used to deliver ads. Furthermore, since the user is forced to click on something in the pop-up in order to get to the original web page, this will train users to click on any pop-up that appears. This will greatly increase the incidence of infected machines, further justifying use of the mechanism. Lovely vicious circle. Advertisers and vendors of anti-malware products will no doubt benefit greatly.

Re: Comcast Announces Constant Guard security program

"The Service Notice helps inform customers that there is a high
probability that something may be wrong with their computer and that
they could be susceptible to any of the malicious activity listed
above."

Is that going to be the basic "you don't have an anti-virus installed and therefore you;re in serious danger..." type of thing?

I mean, how does it determine "there is a high
probability that something may be wrong with their computer..." without simply guessing?

Because I get pretty sick of that Windows and McAfee stuff insisting I'm going to die horribly within the next few seconds and every computer I own is going to explode if I don't immediately update or install something, and this is what that sounds like to me.

Not really. That doesn't say anything, unless it's in the screenshot that you're talking about, but that's extremely low resolution (as well as over-compressed) and so small on my 24" monitor at 1920x1200 that I can't even read what it says.

It does say in the text, however:

"How did Comcast determine that I may have a virus-bot on a computer in my home?We
identify infected computers in several ways. First, we get data from
reputable Internet research groups that specialize in bot
identification. The data we get includes a list of Internet Protocol
(IP) addresses that are infected and those that belong to bot command
and control channels. Second, we look for malicious behavior exhibited
by bots such as spam, distributed denial of service attacks and
repeated connections requests to known command and control channels. We
then aggregate this data to confirm whether one or more of your
computers has been infected."

Okay, if that's it, I can see a whole lot of false positives on the horizon, many people worrying for no good reason, much of the time. Just like the way the anti-virus programs figure that OVER protection and undue paranoia are better ideas than playing it realistically. There will be many reports of "infected" IP addresses and such, simply due to their realm or genre, for lack of a better way to say it.

Oh welll, forgive me for being skeptical. I mean, Comcast can't even get the "Message has been deleted" thing fixed for the forums, where you're told the message you are trying to access has been deleted, if you're not logged in when you click the email link (And I've been bringing that one up for almost two years and have even been told it's being worked on).... so I'm not real confident.

But it's all good. It might be useful for some people, although I personally feel that all this nannyware creates a false sense of security, as well as countless technical user issues, and the best thing is for people to just be careful where they're going and wshat they're installing and clicking.

Re: Comcast Announces Constant Guard security program

It's a difficult balancing act, indeed. But infected computers are a serious problem, and ISPs are in the best position to intercede.

Hopefully they'll be relatively conservative in this system, because of how intrusive the results are. It would be less troublesome if they just sent email rather than intercepting web client traffic, but I think it's well known from past experience that customers often ignore these emails. In fact, emails like that are often used by phishers and malware spreaders themselves (when Comcast sends email to notify customers that their port 25 has been blocked, they frequently post here asking if it's legit).

Re: Comcast Announces Constant Guard security program

First of all the initial post by NSM998, needs to be edited to take out McAfee and reflect Comcast Norton Security Suite (CNSS). I'd imagine the resulting paid "tech support" would also have to be with Norton.

I am very curious with how the Constant Guard in the test area is working out with folks who have already made the switch from McAfee to CNSS. Any conflicts?

One last question, will there be a way for an individual user to disable this function?

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Re: Comcast Announces Constant Guard security program

First of all the initial post by NSM998, needs to be edited to take out McAfee and reflect Comcast Norton Security Suite (CNSS). I'd imagine the resulting paid "tech support" would also have to be with Norton.

I am very curious with how the Constant Guard in the test area is working out with folks who have already made the switch from McAfee to CNSS. Any conflicts?

One last question, will there be a way for an individual user to disable this function?

How to contact the Comcast Customer Security Assurance Department:

The Customer Security Assurance organization has been established to ensure a safe and secure online experience for Comcast customers. This team is a dedicated group of security professionals who respond to issues pertaining to phishing, spam, infected PCs (commonly referred to as "bots"), online fraud and other security issues.

Need Email Help? Please post the following information in your post.Do you use XfinityConnect? The Full or Lite version?Do you use an email client? Which one? (Eg; Windows Live mail, Outlook, a smartphone etc.)Which browser/version do you use? And- have you cleared your browser cache?Which operating system? XP, Vista, Windows 7, Mac OS XDetails of the problem you are having.

Re: Comcast Announces Constant Guard security program

Well this new feature hit Colorado yesterday. My pc got the spash pop up at 3:00 pm. I called Comcast they said it is not them. Comcast did not want a fax of the printscreen, did not want an email of the printscreen. All they told me to do was use their norton and malwarebytes.org to get rid of it.

Then I went to my comcast email to send an email to them anyway and there was an email they sent me at 1:15 pm yesterday. I called comcast again, they said the emial is spam it is not from them.

I ran my regular Webroot Security essentials tools, computer associates software, malwarebytes.org,, and even downloaded the "comcastic norton." I spent nearly 6 hours running these programs and still the pop up would not go away.

I then went to chat. I should post the chat here. Amazing for it to be docemented that Oh, the email is from us but the pop up is not.